How to Build and Use a Risk Register

Posted December 18, 2014 by riskviews
Categories: Enterprise Risk Management, Risk Identification, Risk Management System

Tags: ,

From Harry Hall at www.pmsouth.com

Project managers constantly think about risks, both threats and opportunities. What if the requirements are late? What if the testing environment becomes unstable? How can we exploit the design skills of our developers?

Let’s consider a simple but powerful tool to capture and manage your risks – the Risk Register. What is it? What should it include? What tools may be used to create the register? When should risk information be added?

The Risk Register is simply a list of risk related information including but not limited to:

  • Risk Description. Consider using this syntax: Cause -> Risk -> Impact. For example: “Because Information Technology is updating the testing software, the testing team may experience an unstable test environment resulting in adverse impacts to the schedule.”
  • Risk Owner. Each risk should be owned by one person and that person should have the knowledge and skills to plan and execute risk responses.
  • Triggers. Triggers indicate when a risk is about to occur or that the risk has occurred.
  • Category. Assigning categories to your risks allows you to filter, group, analyze, and respond to your risks by category. Standard project categories include schedule, cost, and quality.
  • Probability Risk Rating. Probability is the likelihood of risk occurring. Consider using a scale of 1 to 10, 10 being the highest.
  • Impact Risk Rating. Impact, also referred to as severity or consequence, is the amount of impact on the project. Consider using a scale of 1 to 10, 10 being the highest.
  • Risk Score. Risk score is calculated by multiplying probability x impact. If the probability is 8 and the impact is 5, the risk score is 40.
  • Risk Response Strategies. Strategies for threats include: accept the risk, avoid the risk, mitigate the risk, or transfer the risk. Strategies for opportunities include: accept the risk, exploit the risk, enhance the risk, or share the risk.
  • Risk Response Plan or Contingency Plan. The risk owner should determine the appropriate response(s) which may be executed immediately or once a trigger is hit. For example, a risk owner may take immediate actions to mitigate a threat. Contingency plans are plans that are executed if the risk occurs.
  • Fallback Plans. For some risks, you may wish to define a Fallback Plan. The plan outlines what would be done in the event that the Contingency Plan fails.
  • Residual Risks. The risk owner may reduce a risk by 70%. The remaining 30% risk is the residual risk. Note the residual risk and determine if additional response planning is required.
  • Trends. Note if each risk is increasing, decreasing, or is stable.

The Risk Register may be created in a spreadsheet, database, risk management tool, SharePoint, or a project management information system. Make sure that the Risk Register is visible and easy to access by your project team members.

The risk management processes include: 1) plan risk management, 2) identify risks, 3) evaluate/assess risks, 4) plan risk responses, and 5) monitor and control risks.

The initial risk information is entered when identifying risks in the planning process. For example, PMs may capture initial risks while developing the Communications Plan or the project schedule. The initial risk information may include the risks, causes, triggers, categories, potential risk owners, and potential risk responses.

As you evaluate your risk in the planning process, you should assign risk ratings for probability and impact and calculate the risk scores.

Next, validate risk owners and have risk owners complete response plans.

Lastly, review and update your risks during your team meetings (i.e., monitoring and control). Add emerging risks. Other reasons for updating the risk register include change requests, project re-planning, or project recovery.

Emerging Risks

Posted December 16, 2014 by riskviews
Categories: Enterprise Risk Management

By Max Rudolph

OVER THE PAST YEAR THERE HAS BEEN lots of publicity about cyber security risk. Data breaches and NSA surveillance may be top of mind, but a host of emerging risks show concerning signs and interaction possibilities. In the 7th survey of emerging risks, a group of risk managers shared their thoughts about current and future risks. Trending up are risks sur- rounding greater regulatory focus and cyber security, with oil price shock trending down as supplies have picked up.

Emerging risks look across longer time horizons, 10 years or more, and for outliers that would create disruption to business as usual. An earthquake in Los Angeles or a hurricane in Miami could be a horrific event for those living through it, but historical data shows the likelihood of such events to be high when viewed across centuries or millennium. Emerging risks look at events like plague or space weather that tend not to be considered when making business decisions. These risks evolve over many years, so one would expect stability in risks considered.

Over five years have passed since Bear Stearns and Lehman Brothers ceased to be independent. While many risk managers are concerned about the calm in today’s markets, the truth is that they have more time to think about risks that might not impact them for 10 years than they did in 2009. This shows up in trend data and the concentration of risk combinations.

In the year since the previous survey, equity markets and oil prices continued their trend upward, while the dollar reversed course and strengthened versus the Euro. Here are the top six responses, when asked for the top five emerging risks (percentages based on number of surveys).

1. Financial volatility (59%)
2. Cyber security/interconnectedness of infrastructure (47%)

3. Blow up in asset prices (30%) 4. Demographic shift (30%)
5. Failed and failing states (29%) 6. Regional instability (29%)

This represents shifting pattern away from geopolitical and economic categories and toward technological, societal and environmental. Here are the top five choices from a year ago.

1. Financial volatility (62%)
2. Regional instability (42%)
3. Cyber security/interconnectedness of infrastructure (40%)
4. Failed and failing states (33%)
5. Chinese economic hard landing (31%)

Excerpt from Risk Management, August 2014

Read the full survey report at SOA.ORG

Communicating with the CEO

Posted December 14, 2014 by riskviews
Categories: Enterprise Risk Management

What’s the job of a CEO? When you come down to it, a CEO’s job is to make decisions. The right decisions. Knowing your CEO’s priorities is key to communicating effectively.

“The single biggest problem in communication is the illusion that it has taken place.”

GB Shaw

Many business leaders climb the corporate ladder using a path that requires more “fast, heuristic-based” thinking than “technical, algorithmic analysis.” That’s not necessarily a bad thing!

Business schools teach you to define key metrics and then find solutions that optimize those metrics seeking to maximize expected value. But executives more often prefer to maximize likely profits from among possibilities with acceptable downside potential. This approach works well for executives who must make decisions quickly—especially when not all of the variables can readily be quantified. So it’s no surprise that many CEOs make use of it.

The point of communication isn’t to speak. It’s to be heard and understood— to have influence and motivate action.Effective communication requires knowing what information you want to convey and what action you want to motivate, but that’s not enough. You must also know your audience—in this case CEOs—well enough to determine what factors will truly resonate and motivate them to take the desired action based on your information.

It’s a good idea, for example, to have a sense of the CEO’s thinking style, decision process and risk attitude.

Change is always seen as potentially painful and dangerous. When the company is in a truly painful spot, you may be able to get the CEO to take a different approach…but even then, flexibility in your communication style is much more likely to be effective. Remember: the CEO’s job isn’t just to make decisions—it’s to make the right decisions. So any information you bring to your CEO must be communicated in a useful format, so that he or she can chart the right course for the company.

- See more at: http://blog.willis.com/2014/12/communicating-with-your-ceo/#sthash.mA54vyXK.dpuf

ERM: Who is Responsible?

Posted November 7, 2014 by riskviews
Categories: Chief Risk Officer, Enterprise Risk Management, Risk Management System

Tags: ,

Masks

The Board is Responsible.

The CEO is Responsible.

Top Management is Responsible.

The CRO is Responsible.

The Business Unit Heads are Responsible.

The CFO is Responsible.

And on and on…

But this sounds like a recipe for disaster.  When everyone is responsible, often no one takes responsibility.  And if everyone is responsible, how is a decision ever reached?

Everyone needs to have different responsibilities within an ERM program.  So most often, people are given partial responsibility for ERM depending upon their everyday job responsibilities.

And in addition, a few people are given special new responsibilities and new roles (usually part time) are created to crystallize those new roles and responsibilities.  Those new roles are most often called:

  • Risk Owners
  • Risk Committee Members

But there are lots and lots of ways of dishing out the partial responsibilities.  RISKVIEWS suggests that there is no one right or best way to do this.  But instead, it is important to make sure that every risk management task is being done and that there is some oversight to each task.  (Three Lines of Defense is nice, but not really necessary.  There are really only two necessary functions – doing and assurance.)

To read more about a study of the choices of 12 insurers &

What CEO’s Think about Risk

Posted October 30, 2014 by riskviews
Categories: Enterprise Risk Management

In the book Streetlights and Shadows, Gary Klein describes three sorts of risk management.

  • Prioritize and Reduce – the system used by safety and (insurance) risk managers.  In this view of risk management, there is a five step process to
    1. Identify Risks
    2. Assess and Prioritize Risks
    3. Develop plans to mitigate the highest priority risks
    4. implement plans
    5. Track effectiveness of mitigations and adapt plans as necessary
  • Calculate and Decide – the system used by investors (and insurers) to develop multi scenario probability trees of potential outcomes and to select the options with the best risk reward relationship.
  • Anticipate and Adapt – the system preferred by CEO’s.  For potential courses of action, the worst case scenario will be assessed.  If the worst case is within acceptable limits, then the action will be considered for its benefits.  If the worst case is outside of acceptable limits, then consideration is given to management to reduce or eliminate the adverse outcomes.  If those outcomes cannot be brought within acceptable limits then the option is rejected.

Most ERM System are set up to support the first two ideas of Risk Management.

But if it is true that most CEO’s favor the Anticipate and Adapt approach, a total mismatch between what the CEO is thinking and what the ERM system is doing emerges.

It would not be difficult to develop an ERM system that matches with the Anticipate and Adapt approach, but most risk managers are not even thinking of that possibility.

Under that system of risk management, the task would be to look at a pair of values for every major activity.  That pair would be the planned profit and the worst case loss.  During the planning stage, the Risk Manager would then be tasked to find ways to reduce the worst case losses of potential plans in a reliable manner.  Once plans are chosen, the Risk Manager would be responsible to make sure that any of the planned actions do not exceed the worst case losses.

Thinking of risk management in this manner allows us to understand the the worst possible outcome for a risk manager would not be a loss from one of the planned activities of the firm, it would be a loss that is significantly in excess of the maximum loss that was contemplated at the time of the plan.  The excessive loss would be a signal that the Risk area is not a reliable provider of risk information for planning, decision making or execution of plans or all three.

This is an interesting line of reasoning and may be a better explanation for the way that risk managers are treated within organizations and especially why risk managers are sometimes fired after losses.  They may be losing their jobs, not because there is a loss, but because they were unable to warn management of the potential size of the loss.  It could well be that management would have made different plans if they had known in advance the potential magnitude of losses from one of their choices.

Or at least, that is the story that they believe about themselves after the excessive loss.

This suggests that risk managers need to be particular with risk evaluations.  Klein also mentions that executives are usually not particularly impressed with evaluations of frequency.  They most often want to focus on severity.

So whatever is believed about frequency, the risk manager needs to be careful with the assessment of worst case losses.

(A rerun of a previous post under a new name)

Transparency, Discipline and Allignment

Posted October 27, 2014 by riskviews
Categories: Control Cycle, Enterprise Risk Management, ERM

Tags: ,

Firms that have existed for any length of time are likely to have risk management.  Some of it was there from the start and the rest evolved in response to experiences.  Much of it is very efficient and effective while some of the risk management is lacking in either efficiency of effectiveness.  But some of the risk management that they might need is either missing or totally ineffective.  It is somewhat hard to know, because risk management is rarely a major subject of discussion at the firm.  Risk management happens in the background.  It may be done without thinking.  It may be done by people who do not know why they are doing it.  Some risks of the firm are very tightly controlled while others are not.  But the different treatment is not usually a conscious decision.  The importance of risk management differs greatly in the minds of different people in the firm and sometimes the actions taken to reduce risk actually work against the desired strategy of the firm.  The proponents of carefully managed risk may be thought of as the business prevention department and they are commonly found to be at war with the business expansion department.


 

Enterprise Risk Management (ERM) is an approach to risk management that provides three key advantages over traditional, ad hoc, evolved risk management.  Those advantages are:

Transparency

Discipline

Alignment

ERM takes risk management out of the background and makes it an open and transparent primary activity of the firm.  ERM does not push any particular approach to risk, but it does promote openly discussing and deciding and documenting and communicating the approach to each major risk.  The risk appetite and tolerances are decided and spoken out loud and in advance in an ERM process, rather than in arrears (and after a major loss) as is more often the case with a traditional risk management program.

Transparency is like the math teacher you had in high school who insisted that you show your work.  Even if you were one of those super bright math geeks who could just do it all in your head and immediately write down the correct answer.  When you wrote down all of the steps, it was transparent to the math teacher that you really did know what you were doing.  Transparency means the same sort of thing with ERM.  It means showing your work.  If you do not like having to slow down and show your work, you will not like ERM.

ERM is based upon setting up formal risk control cycles.  A control cycle is a discipline for assuring that the risk controlling process takes place.  A discipline, in this context, is a repeatable process that if you consistently follow the process you can expect that the outcomes from that process will be more reliable and consistent.

A pick-up sports team may or may not have talent, but it is guaranteed not to have discipline.  A school team may have a little talent or a lot and some school teams have some discipline as well.  A professional sports team usually has plenty of talent.  Often professional teams also have some discipline.  The championship sports teams usually have a little more talent than most teams (it is extremely difficult in most sports to have lots more talent than average), but they usually have much more discipline than the teams in the lower half of the league.  Discipline allows the team to consistently get the best out of their most talented players.  Discipline in ERM means that the firm is more likely to be able to expect to have the risks that they expect to have.

ERM is focused on Enterprise Risks.  In RISKVIEWS mind, Enterprise Risks are those risks that could result in losses that would require the firm to make major, unexpected changes to plans or that would disrupt the firm (without necessarily causing losses) in such a way that the firm cannot successfully execute the plans.  Enterprise Risks need to be a major consideration in setting plans.  Through discussions of Risk Appetite and Tolerance and returns for risks and the costs of risk mitigations, ERM provides a focus on alignment of the risk management with the strategic objectives of the firm.

To use another sports analogy, picture the football huddle where the quarterback says “ok.  Everyone run their favorite play!”  Without ERM, that is what is happening, at least regarding ERM at some companies.

Alignment feeds off of the Transparency of ERM and Discipline provides the payback for the Alignment.

Decision Making Under Deep Uncertainty

Posted October 20, 2014 by riskviews
Categories: Decision Makng, Enterprise Risk Management, Uncertainty

Tags: ,

The above is a part of the title of a World Bank report.  The full title of that report is

Investment Decision Making Under Deep Uncertainty – Application to Climate Change

While that report focuses upon that one specific activity – Investing, and one area of deep uncertainty – Climate Change, there are some very interesting suggestions contained there that can be more broadly applied.

First, let’s look at the idea of Deep Uncertainty.  They define it as:

deep uncertainty is a situation in which analysts do not know or cannot agree on (1) models that relate key forces that shape the future, (2) probability distributions of key variables and parameters in these models, and/or (3) the value of alternative outcomes.

In 1973, Horst W.J. Rittel and Melvin M. Webber, two Berkeley professors, published an article in Policy Sciences introducing the notion of “wicked” social problems. The article, “Dilemmas in a General Theory of Planning,” named 10 properties that distinguished wicked problems from hard but ordinary problems.

1. There is no definitive formulation of a wicked problem. It’s not possible to write a well-defined statement of the problem, as can be done with an ordinary problem.

2. Wicked problems have no stopping rule. You can tell when you’ve reached a solution with an ordinary problem. With a wicked problem, the search for solutions never stops.

3. Solutions to wicked problems are not true or false, but good or bad. Ordinary problems have solutions that can be objectively evaluated as right or wrong. Choosing a solution to a wicked problem is largely a matter of judgment.

4. There is no immediate and no ultimate test of a solution to a wicked problem. It’s possible to determine right away if a solution to an ordinary problem is working. But solutions to wicked problems generate unexpected consequences over time, making it difficult to measure their effectiveness.

5. Every solution to a wicked problem is a “one-shot” operation; because there is no opportunity to learn by trial and error, every attempt counts significantly. Solutions to ordinary problems can be easily tried and abandoned. With wicked problems, every implemented solution has consequences that cannot be undone.

6. Wicked problems do not have an exhaustively describable set of potential solutions, nor is there a well-described set of permissible operations that may be incorporated into the plan. Ordinary problems come with a limited set of potential solutions, by contrast.

7. Every wicked problem is essentially unique. An ordinary problem belongs to a class of similar problems that are all solved in the same way. A wicked problem is substantially without precedent; experience does not help you address it.

8. Every wicked problem can be considered to be a symptom of another problem. While an ordinary problem is self-contained, a wicked problem is entwined with other problems. However, those problems don’t have one root cause.

9. The existence of a discrepancy representing a wicked problem can be explained in numerous ways. A wicked problem involves many stakeholders, who all will have different ideas about what the problem really is and what its causes are.

10. The planner has no right to be wrong. Problem solvers dealing with a wicked issue are held liable for the consequences of any actions they take, because those actions will have such a large impact and are hard to justify.

These Wicked Problems sound very similar to Deep Uncertainty.

The World Bank report suggests that “Accepting uncertainty mandates a focus on robustness”.

A robust decision process implies the selection of a project or plan which meets its intended goals – e.g., increase access to safe water, reduce floods, upgrade slums, or many others– across a variety of plausible futures. As such, we first look at the vulnerabilities of a plan (or set of possible plans) to a field of possible variables. We then identify a set of plausible futures, incorporating sets of the variables examined, and evaluate the performance of each plan under each future. Finally, we can identify which plans are robust to the futures deemed likely or otherwise important to consider.

That sounds a lot like a risk management approach.  Taking your plans and looking at how your plans work under a range of scenarios.

This is a different approach from what business managers are trained to take.  And it is a clear example of the fundamental conflict between risk management thinking and the predominant thinking of company management.

What business managers are taught to do is to predict the most likely future scenario and to make plans that will maximize the results under that scenario.

And that approach makes sense when faced with a reliably predictable world.  But in those situations when you are faced with Deep Uncertainty or Wicked Problems, the Robust Approach should be the preferred approach.

Risk managers need to understand that businesses mainly need to apply the Robust/risk management techniques to these Wicked Problems and Deep Uncertainty.  It is a major waste of time to seek to apply the Robust Approach when the situation is not that extreme.  Risk managers need to develop skills and processes to identify these situations.  Risk managers need to “sell” this approach to top management.  Risks need to be divided into two classes – “normal” and “Deep Uncertain/Wicked” and the Robust Approach used for planning what to do regarding the business activities subject to that risk.  The Deep Uncertainty may not exist now, but the risk manager needs to have the credibility with top management when they bring their reasoning for identifying a new situation of Deep Uncertainty.


Follow

Get every new post delivered to your Inbox.

Join 695 other followers

%d bloggers like this: